Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 13 Jun 2018 21:01:02 +0000
From: Xen.org security team <security@....org>
To: xen-announce@...ts.xen.org, xen-devel@...ts.xen.org,
 xen-users@...ts.xen.org, oss-security@...ts.openwall.com
CC: Xen.org security team <security-team-members@....org>
Subject: Xen Security Advisory 267 (CVE-2018-3665) - Speculative register
 leakage from lazy FPU context switching

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2018-3665 / XSA-267
                              version 3

     Speculative register leakage from lazy FPU context switching

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

x86 has a hardware mechanism for lazy FPU context switching.  On a task
switch, %cr0.ts (Task Switched) gets set, and the next instruction to
touch floating point state raises an #NM (No Math, later known as Device
Not Available) exception.

Traditionally, FPU state has been large in comparison to available
bandwidth (and therefore slow to switch) and not used as frequently as
cpu tasks tend to switch.  This mechanism allows the OS to only switch
FPU when necessary, which in turn increases performance.

Some CPUs however speculate past an #NM exception, allowing register
content to be leaked by a side-channel.

For more details, see:
  https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html

IMPACT
======

An attacker can read x87/MMX/SSE/AVX/AVX-512 register state belonging to
another vCPU previously scheduled on the same processor.  This can be
state belonging a different guest, or state belonging to a different
thread inside the same guest.

Furthermore, similar changes are expected for OS kernels.  Consult your
operating system provider for more information.


VULNERABLE SYSTEMS
==================

Systems running all versions of Xen are affected.

Only x86 processors are vulnerable.  ARM processors are not known to be
affected.

Only Intel Core based processors (from at least Nehalem onwards) are
potentially affected.  Other processor designs (Intel Atom/Knights
range), and other manufacturers (AMD) are not known to be affected.

MITIGATION
==========

Depending on the availability of host resources, leakage can be
prevented between VMs by using cpupools or cpu pinning to isolate the
vCPUs from different VMs to separate pCPUs.

CREDITS
=======

This issue was discovered by Julian Stecklina (jsteckli@...zon.de) from
Amazon and Thomas Prescher (thomas.prescher@...erus-technology.de) from
Cyberus Technology.

It was also independenty discovered by Zdenek Sojka from SYSGO
(http://sysgo.com) and by Colin Percival.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa267-[12].patch      xen-unstable
xsa267-4.10-[12].patch Xen 4.10.x
xsa267-4.9-[12].patch  Xen 4.9.x, 4.8.x
xsa267-4.7-[12].patch  Xen 4.7.x
xsa267-4.6-[12].patch  Xen 4.6.x

Alternatively, the following patches can be used to create livepatches for
running hypervisors.

xsa267-livepatch.patch     xen-unstable, Xen 4.10.x, 4.9.x
xsa267-4.8-livepatch.patch Xen 4.8.x

$ sha256sum xsa267*
d126e57ac6151e661294da9211a9d556845255a9d1909d73ec58a28c81b4a79d  xsa267-1.patch
00ec30c3738c3fcac8ca24a03308fc2d2dacab78640c17e5bb078e474b263719  xsa267-2.patch
9172c51e3652498740aa54c7953fb70c6df3902b382a9e9fa25a82943f70849d  xsa267-4.6-1.patch
8579fa847aea19b3666db39c9c844c32b543e5504f49074e48600c4958fa9eba  xsa267-4.6-2.patch
0fb7c123947a95963537ddeb156718d93a3d04b42486009fc520eaaeeba8aad6  xsa267-4.7-1.patch
418a71f8fc5b3ff1a5eb5cf4d161dea9c88697b50d84d8b8eec1ecf594f798f1  xsa267-4.7-2.patch
488f769e19acfe4ca59c731f58c5d464ec694e3c1923fbb3a26e6ed85afa68f8  xsa267-4.8-livepatch.patch
b4d1712b48c71ca541b6a39c182c3a134ff4d36cbf52ef6d65444ce84729c4b3  xsa267-4.9-1.patch
5ab13ae9ea070b2eee6ecf31324518f8315b7c0e523295d7892e5263fccb9d1f  xsa267-4.9-2.patch
9703a2e661f67408a108b540d296439cd349027a322b2e360780319897386753  xsa267-4.10-1.patch
d30dcb4887cb1963b460f850f34f0cd179704a2cdc8cdaf72bd16e495a0d63f1  xsa267-4.10-2.patch
7832229d987ac9b7292eb815d54b78e9884b892795d9ac3f11f0752f6c59d312  xsa267-livepatch.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.


(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJbIX1aAAoJEIP+FMlX6CvZiA4H/iwQn5aa+9+iE6wVNhfI3XX4
YvogEPGW4Zp3Brq5ATDoyanIdabWU+5Tq4MtAyR3IyaFrnoevLFfumKIQjnqI3sk
ef4PuxEYtVyiqwC+01o0Uk1+1K83xA4dG2wukuJbOtEF44d4X5fq9RWqdLprBADx
FW7MrFeXcoQsbbRLfZzUZpjtQQ1Lys8gHbU+Un9l9yZjRUErxUFLhhsrpIwkYFF9
6zhlYGPdpZQ1s7W6OclD/Tm5ZpauggjJfLWSAckAuobNaR6bKh6iwr3AMWH0w+2w
H7U2oKHQPw3kpiEz42cEEN9FDm/9mGNgNYkC+aPtn40zYuKhyBnORBMgssmA0Tk=
=By/q
-----END PGP SIGNATURE-----

Download attachment "xsa267-1.patch" of type "application/octet-stream" (2160 bytes)

Download attachment "xsa267-2.patch" of type "application/octet-stream" (8244 bytes)

Download attachment "xsa267-4.6-1.patch" of type "application/octet-stream" (1942 bytes)

Download attachment "xsa267-4.6-2.patch" of type "application/octet-stream" (8230 bytes)

Download attachment "xsa267-4.7-1.patch" of type "application/octet-stream" (2214 bytes)

Download attachment "xsa267-4.7-2.patch" of type "application/octet-stream" (8215 bytes)

Download attachment "xsa267-4.8-livepatch.patch" of type "application/octet-stream" (4393 bytes)

Download attachment "xsa267-4.9-1.patch" of type "application/octet-stream" (2180 bytes)

Download attachment "xsa267-4.9-2.patch" of type "application/octet-stream" (8232 bytes)

Download attachment "xsa267-4.10-1.patch" of type "application/octet-stream" (2212 bytes)

Download attachment "xsa267-4.10-2.patch" of type "application/octet-stream" (8244 bytes)

Download attachment "xsa267-livepatch.patch" of type "application/octet-stream" (4371 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.